@nextclaw/server 0.10.20 → 0.10.21

package/dist/index.js

@@ -1,7 +1,6 @@
 // src/ui/server.ts
 import { Hono as Hono2 } from "hono";
 import { compress } from "hono/compress";
-import { cors } from "hono/cors";
 import { serve } from "@hono/node-server";
 import { WebSocketServer, WebSocket } from "ws";
 import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
@@ -5162,12 +5161,75 @@ var DEFAULT_CORS_ORIGINS = (origin) => {
   }
   return void 0;
 };
+var DEFAULT_ALLOWED_CORS_HEADERS = "Content-Type, Authorization";
+var DEFAULT_ALLOWED_CORS_METHODS = "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS";
+function readRequestHeader(request, name) {
+  return request.headers.get(name)?.trim() ?? null;
+}
+function appendVaryHeader(headers, value) {
+  const current = headers.get("Vary");
+  if (!current) {
+    headers.set("Vary", value);
+    return;
+  }
+  const values = current.split(",").map((item) => item.trim()).filter(Boolean);
+  if (!values.includes(value)) {
+    values.push(value);
+  }
+  headers.set("Vary", values.join(", "));
+}
+function resolveAllowedCorsOrigin(requestOrigin, policy) {
+  if (!requestOrigin) {
+    return null;
+  }
+  if (policy === "*") {
+    return requestOrigin;
+  }
+  if (Array.isArray(policy)) {
+    return policy.includes(requestOrigin) ? requestOrigin : null;
+  }
+  return policy(requestOrigin) ?? null;
+}
+function applyCorsHeaders(params) {
+  params.headers.set("Access-Control-Allow-Origin", params.allowOrigin);
+  params.headers.set("Access-Control-Allow-Credentials", "true");
+  params.headers.set("Access-Control-Allow-Methods", DEFAULT_ALLOWED_CORS_METHODS);
+  params.headers.set(
+    "Access-Control-Allow-Headers",
+    params.allowHeaders?.trim() || DEFAULT_ALLOWED_CORS_HEADERS
+  );
+  appendVaryHeader(params.headers, "Origin");
+  appendVaryHeader(params.headers, "Access-Control-Request-Headers");
+}
 function startUiServer(options) {
   const app = new Hono2();
   app.use("/*", compress());
-  const origin = options.corsOrigins ?? DEFAULT_CORS_ORIGINS;
+  const corsPolicy = options.corsOrigins ?? DEFAULT_CORS_ORIGINS;
   const authService = new UiAuthService(options.configPath);
-  app.use("/api/*", cors({ origin, credentials: true }));
+  app.use("/api/*", async (c, next) => {
+    const allowOrigin = resolveAllowedCorsOrigin(readRequestHeader(c.req.raw, "origin"), corsPolicy);
+    const allowHeaders = readRequestHeader(c.req.raw, "access-control-request-headers");
+    if (c.req.method === "OPTIONS") {
+      if (allowOrigin) {
+        const headers = new Headers();
+        applyCorsHeaders({
+          headers,
+          allowOrigin,
+          allowHeaders
+        });
+        return new Response(null, { status: 204, headers });
+      }
+      return new Response(null, { status: 204 });
+    }
+    await next();
+    if (allowOrigin) {
+      applyCorsHeaders({
+        headers: c.res.headers,
+        allowOrigin,
+        allowHeaders
+      });
+    }
+  });
   const clients = /* @__PURE__ */ new Set();
   const publish = (event) => {
     const payload = JSON.stringify(event);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nextclaw/server",
-  "version": "0.10.20",
+  "version": "0.10.21",
   "private": false,
   "description": "Nextclaw UI/API server.",
   "type": "module",
@@ -18,12 +18,12 @@
     "@hono/node-server": "^1.13.3",
     "hono": "^4.6.2",
     "ws": "^8.18.0",
-    "@nextclaw/mcp": "0.1.20",
-    "@nextclaw/ncp": "0.3.1",
-    "@nextclaw/ncp-http-agent-server": "0.3.1",
+    "@nextclaw/mcp": "0.1.21",
     "@nextclaw/runtime": "0.2.8",
+    "@nextclaw/core": "0.9.8",
+    "@nextclaw/ncp-http-agent-server": "0.3.1",
     "@nextclaw/openclaw-compat": "0.3.11",
-    "@nextclaw/core": "0.9.8"
+    "@nextclaw/ncp": "0.3.1"
   },
   "devDependencies": {
     "@types/node": "^20.17.6",